Commerce on the internet is hindered by the inconvenience of creating, viewing, and signing agreements and contracts over the world wide web (“the web”). Many agreements and contracts are too large or too complex to be executed on the web using more commonly used methods such as, for example, exchanging credit card information between parties to a contract. These contracts can include multiple clauses, or may require that parties extensively modify standard contract forms by entering information into the forms and defining the scope of the executed contract. Certain clauses may need to be initialed signifying that each party has read and agrees to the initialed clause. Also, there can be several parties to a contract, requiring all parties to sign the contract document.
Technology for signing and authenticating electronic documents is available. One technology is public key cryptography. Using this technology, a prospective signer obtains a public key and an associated private key. A document encrypted with a signer's public key is relatively difficult to decrypt without knowledge of the associated private key. Decrypting an encrypted document or a digital signature with a signer's public key verifies, with a degree of certainty, that the document or signature was encrypted by a person having access to the associated private key. A digital signature can be created by encrypting a one way hash of a document with a private key. The hash is a condensed and unique form of the document, and any changes to the document after signing results in an altered hash. Thus, the digital signature is unique to the document and to the signer's private key. A recipient of the digitally signed document can verify that the document was signed by a particular person, and that the document was unaltered after signing, by decrypting the digital signature using the signer's public key, and confirming that the resulting decrypted hash is identical to a newly produced hash of the received document. Typically, public keys are used to encrypt message or to verify signed documents, and private key are kept secret, and are used to decrypt messages or to sign document.
The recipient of the signed document can authenticate the digital signature by having a trusted third party independently confirm the identity of the person owning the private/public key pair. Certificates are instrumental in authentication. The signer's certificate is a document that is encrypted using a trusted third party's private key, that identifies the owner of the public key, and that contains the signer's public key. The certificate confirms that the trusted third party knows the owner of the attached public key to be the person listed in the certificate. The trusted third party can be a certification authority. To authenticate the signature, the recipient decrypts the certificate using the certification authority's widely available and trusted public key, and uses the enclosed signer's public key to verify the signature appended to the originally received document.
However, methods currently available for deploying this technology are cumbersome to use. For example, an individual browsing the web using a commonly available browser such as Netscape Navigator or Internet Explorer might want to enter into a contract with a supplier on the web. The individual goes to the supplier's web site and views a sample contract. To sign the contract, the individual downloads the document and opens encryption enabled program capable of reading, amending and signing the downloaded document. The encryption enabled program must be installed on the individual's computer in addition to the browser. After adding relevant information to the document, the individual digitally signs the document using a private key that must be securely kept by the individual. The individual then emails the document to the supplier. On receiving the digitally signed document, the supplier must verify the digital signature using the individual's public key, and authenticate the individual's certificate using a trusted certification authority's public key.
This method of transacting business over the web has not been widely adopted. Many web users are unfamiliar with the intricacies of digitally signing documents, and are therefore reluctant to familiarize themselves with the technology and to purchase the necessary hardware and software required to use these methods. Transacting parties frequently resort to completing transactions by executing contracts on paper.
In addition to the inconvenience of current digital signing methods, widespread use of public key cryptography can be problematic for security reasons. With current technology, each signer must maintain the confidentiality of his or her private key. The security of current digital signing methods depends on how securely signers keep their private keys. Frequently, signers are unfamiliar with computer technology and potential threats to the confidentiality of their private keys. Private keys may be stored unsecured or weakly secured in a signer's computer and may be vulnerable to hacking. Businesses having customers with a broad range of computing sophistication may be reluctant to transact business with customers using these digital signing and authenticating methods in light of the described drawbacks.
Therefore, a need exists for a more secure and convenient method of digitally signing and authenticating electronic documents on the web.